9848ce81fd16294ff6ddb08141e1e5ee609a506a3ec62e5809724c223534b0e1

General

Target

9848ce81fd16294ff6ddb08141e1e5ee609a506a3ec62e5809724c223534b0e1.exe
Size

3.6MB
MD5

c5f4579a1c5f04a2dd11d388a8a8127b
SHA1

5ee5ba933846823a262034a7554ef65c4d0a54b9
SHA256

9848ce81fd16294ff6ddb08141e1e5ee609a506a3ec62e5809724c223534b0e1
SHA512

83c36b65a74f783f22caf2e15382e71250326972389acb8d9b30a85d309aff2cdabab04b6cd849039460f8db4e2da9f629c7231c00f4a2ff910980fdba83dfe2
SSDEEP

49152:2U9oNaEjUMxTG9Dxn2vqEmSBm4yxRNSdJiZ+2H7w:IxTIn2yEmSBm4y/NSdJiZLH

Score

8^/10

adware discovery persistence stealer

Malware Config

Signatures

Registers COM server for autorun 1 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c2dce8d5-5a41-426d-a197-a6411aeb6e96}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c2dce8d5-5a41-426d-a197-a6411aeb6e96}\InprocServer32\ = "C:\\Program Files (x86)\\GGoSave\\3C1hXgWfiNHSmE.x64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c2dce8d5-5a41-426d-a197-a6411aeb6e96}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c2dce8d5-5a41-426d-a197-a6411aeb6e96}\InprocServer32	regsvr32.exe

Loads dropped DLL 3 IoCs

Processes:

9848ce81fd16294ff6ddb08141e1e5ee609a506a3ec62e5809724c223534b0e1.exeregsvr32.exeregsvr32.exe

pid process

1776 9848ce81fd16294ff6ddb08141e1e5ee609a506a3ec62e5809724c223534b0e1.exe
1560 regsvr32.exe
1416 regsvr32.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
1776	9848ce81fd16294ff6ddb08141e1e5ee609a506a3ec62e5809724c223534b0e1.exe
1560	regsvr32.exe
1416	regsvr32.exe

Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

9848ce81fd16294ff6ddb08141e1e5ee609a506a3ec62e5809724c223534b0e1.exeregsvr32.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{c2dce8d5-5a41-426d-a197-a6411aeb6e96}\NoExplorer = "1"	9848ce81fd16294ff6ddb08141e1e5ee609a506a3ec62e5809724c223534b0e1.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{c2dce8d5-5a41-426d-a197-a6411aeb6e96}	9848ce81fd16294ff6ddb08141e1e5ee609a506a3ec62e5809724c223534b0e1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c2dce8d5-5a41-426d-a197-a6411aeb6e96}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c2dce8d5-5a41-426d-a197-a6411aeb6e96}\ = "GGoSave"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c2dce8d5-5a41-426d-a197-a6411aeb6e96}\NoExplorer = "1"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c2dce8d5-5a41-426d-a197-a6411aeb6e96}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{c2dce8d5-5a41-426d-a197-a6411aeb6e96}	9848ce81fd16294ff6ddb08141e1e5ee609a506a3ec62e5809724c223534b0e1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{c2dce8d5-5a41-426d-a197-a6411aeb6e96}\ = "GGoSave"	9848ce81fd16294ff6ddb08141e1e5ee609a506a3ec62e5809724c223534b0e1.exe

Drops file in Program Files directory 8 IoCs

Processes:

9848ce81fd16294ff6ddb08141e1e5ee609a506a3ec62e5809724c223534b0e1.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\GGoSave\3C1hXgWfiNHSmE.tlb	9848ce81fd16294ff6ddb08141e1e5ee609a506a3ec62e5809724c223534b0e1.exe
File created	C:\Program Files (x86)\GGoSave\3C1hXgWfiNHSmE.dat	9848ce81fd16294ff6ddb08141e1e5ee609a506a3ec62e5809724c223534b0e1.exe
File opened for modification	C:\Program Files (x86)\GGoSave\3C1hXgWfiNHSmE.dat	9848ce81fd16294ff6ddb08141e1e5ee609a506a3ec62e5809724c223534b0e1.exe
File created	C:\Program Files (x86)\GGoSave\3C1hXgWfiNHSmE.x64.dll	9848ce81fd16294ff6ddb08141e1e5ee609a506a3ec62e5809724c223534b0e1.exe
File opened for modification	C:\Program Files (x86)\GGoSave\3C1hXgWfiNHSmE.x64.dll	9848ce81fd16294ff6ddb08141e1e5ee609a506a3ec62e5809724c223534b0e1.exe
File created	C:\Program Files (x86)\GGoSave\3C1hXgWfiNHSmE.dll	9848ce81fd16294ff6ddb08141e1e5ee609a506a3ec62e5809724c223534b0e1.exe
File opened for modification	C:\Program Files (x86)\GGoSave\3C1hXgWfiNHSmE.dll	9848ce81fd16294ff6ddb08141e1e5ee609a506a3ec62e5809724c223534b0e1.exe
File created	C:\Program Files (x86)\GGoSave\3C1hXgWfiNHSmE.tlb	9848ce81fd16294ff6ddb08141e1e5ee609a506a3ec62e5809724c223534b0e1.exe

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

Processes:

regsvr32.exe9848ce81fd16294ff6ddb08141e1e5ee609a506a3ec62e5809724c223534b0e1.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{c2dce8d5-5a41-426d-a197-a6411aeb6e96}	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	9848ce81fd16294ff6ddb08141e1e5ee609a506a3ec62e5809724c223534b0e1.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{c2dce8d5-5a41-426d-a197-a6411aeb6e96}	9848ce81fd16294ff6ddb08141e1e5ee609a506a3ec62e5809724c223534b0e1.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{C2DCE8D5-5A41-426D-A197-A6411AEB6E96}	9848ce81fd16294ff6ddb08141e1e5ee609a506a3ec62e5809724c223534b0e1.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	9848ce81fd16294ff6ddb08141e1e5ee609a506a3ec62e5809724c223534b0e1.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{C2DCE8D5-5A41-426D-A197-A6411AEB6E96}	regsvr32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe

Modifies registry class 64 IoCs

Processes:

9848ce81fd16294ff6ddb08141e1e5ee609a506a3ec62e5809724c223534b0e1.exeregsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\..9\CLSID	9848ce81fd16294ff6ddb08141e1e5ee609a506a3ec62e5809724c223534b0e1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{c2dce8d5-5a41-426d-a197-a6411aeb6e96}	9848ce81fd16294ff6ddb08141e1e5ee609a506a3ec62e5809724c223534b0e1.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{c2dce8d5-5a41-426d-a197-a6411aeb6e96}\Programmable	9848ce81fd16294ff6ddb08141e1e5ee609a506a3ec62e5809724c223534b0e1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0	9848ce81fd16294ff6ddb08141e1e5ee609a506a3ec62e5809724c223534b0e1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib	9848ce81fd16294ff6ddb08141e1e5ee609a506a3ec62e5809724c223534b0e1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32	9848ce81fd16294ff6ddb08141e1e5ee609a506a3ec62e5809724c223534b0e1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c2dce8d5-5a41-426d-a197-a6411aeb6e96}\ProgID\ = ".9"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\..9	9848ce81fd16294ff6ddb08141e1e5ee609a506a3ec62e5809724c223534b0e1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\..9\ = "GGoSave"	9848ce81fd16294ff6ddb08141e1e5ee609a506a3ec62e5809724c223534b0e1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CLSID\ = "{c2dce8d5-5a41-426d-a197-a6411aeb6e96}"	9848ce81fd16294ff6ddb08141e1e5ee609a506a3ec62e5809724c223534b0e1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{c2dce8d5-5a41-426d-a197-a6411aeb6e96}\Programmable	9848ce81fd16294ff6ddb08141e1e5ee609a506a3ec62e5809724c223534b0e1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{c2dce8d5-5a41-426d-a197-a6411aeb6e96}\InprocServer32\ = "C:\\Program Files (x86)\\GGoSave\\3C1hXgWfiNHSmE.dll"	9848ce81fd16294ff6ddb08141e1e5ee609a506a3ec62e5809724c223534b0e1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C2DCE8D5-5A41-426D-A197-A6411AEB6E96}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	9848ce81fd16294ff6ddb08141e1e5ee609a506a3ec62e5809724c223534b0e1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR	9848ce81fd16294ff6ddb08141e1e5ee609a506a3ec62e5809724c223534b0e1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32	9848ce81fd16294ff6ddb08141e1e5ee609a506a3ec62e5809724c223534b0e1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}	9848ce81fd16294ff6ddb08141e1e5ee609a506a3ec62e5809724c223534b0e1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}	9848ce81fd16294ff6ddb08141e1e5ee609a506a3ec62e5809724c223534b0e1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	9848ce81fd16294ff6ddb08141e1e5ee609a506a3ec62e5809724c223534b0e1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C2DCE8D5-5A41-426D-A197-A6411AEB6E96}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C2DCE8D5-5A41-426D-A197-A6411AEB6E96}\Implemented Categories	9848ce81fd16294ff6ddb08141e1e5ee609a506a3ec62e5809724c223534b0e1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\ = "IEPluginLib"	9848ce81fd16294ff6ddb08141e1e5ee609a506a3ec62e5809724c223534b0e1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS\ = "0"	9848ce81fd16294ff6ddb08141e1e5ee609a506a3ec62e5809724c223534b0e1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	9848ce81fd16294ff6ddb08141e1e5ee609a506a3ec62e5809724c223534b0e1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32	9848ce81fd16294ff6ddb08141e1e5ee609a506a3ec62e5809724c223534b0e1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ = "IRegistry"	9848ce81fd16294ff6ddb08141e1e5ee609a506a3ec62e5809724c223534b0e1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c2dce8d5-5a41-426d-a197-a6411aeb6e96}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c2dce8d5-5a41-426d-a197-a6411aeb6e96}\InprocServer32\ = "C:\\Program Files (x86)\\GGoSave\\3C1hXgWfiNHSmE.x64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\ = "GGoSave"	9848ce81fd16294ff6ddb08141e1e5ee609a506a3ec62e5809724c223534b0e1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CLSID	9848ce81fd16294ff6ddb08141e1e5ee609a506a3ec62e5809724c223534b0e1.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{c2dce8d5-5a41-426d-a197-a6411aeb6e96}\ProgID	9848ce81fd16294ff6ddb08141e1e5ee609a506a3ec62e5809724c223534b0e1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}	9848ce81fd16294ff6ddb08141e1e5ee609a506a3ec62e5809724c223534b0e1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	9848ce81fd16294ff6ddb08141e1e5ee609a506a3ec62e5809724c223534b0e1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib	9848ce81fd16294ff6ddb08141e1e5ee609a506a3ec62e5809724c223534b0e1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\Version = "1.0"	9848ce81fd16294ff6ddb08141e1e5ee609a506a3ec62e5809724c223534b0e1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\ = "GGoSave"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CLSID\ = "{c2dce8d5-5a41-426d-a197-a6411aeb6e96}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c2dce8d5-5a41-426d-a197-a6411aeb6e96}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CurVer\ = ".9"	9848ce81fd16294ff6ddb08141e1e5ee609a506a3ec62e5809724c223534b0e1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{c2dce8d5-5a41-426d-a197-a6411aeb6e96}\VersionIndependentProgID\	9848ce81fd16294ff6ddb08141e1e5ee609a506a3ec62e5809724c223534b0e1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	9848ce81fd16294ff6ddb08141e1e5ee609a506a3ec62e5809724c223534b0e1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CurVer\ = ".9"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c2dce8d5-5a41-426d-a197-a6411aeb6e96}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\Version = "1.0"	9848ce81fd16294ff6ddb08141e1e5ee609a506a3ec62e5809724c223534b0e1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	9848ce81fd16294ff6ddb08141e1e5ee609a506a3ec62e5809724c223534b0e1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c2dce8d5-5a41-426d-a197-a6411aeb6e96}\VersionIndependentProgID\	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c2dce8d5-5a41-426d-a197-a6411aeb6e96}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\Program Files (x86)\\GGoSave\\3C1hXgWfiNHSmE.tlb"	9848ce81fd16294ff6ddb08141e1e5ee609a506a3ec62e5809724c223534b0e1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}	9848ce81fd16294ff6ddb08141e1e5ee609a506a3ec62e5809724c223534b0e1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\Version = "1.0"	9848ce81fd16294ff6ddb08141e1e5ee609a506a3ec62e5809724c223534b0e1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}	9848ce81fd16294ff6ddb08141e1e5ee609a506a3ec62e5809724c223534b0e1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CurVer	9848ce81fd16294ff6ddb08141e1e5ee609a506a3ec62e5809724c223534b0e1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{c2dce8d5-5a41-426d-a197-a6411aeb6e96}\ = "GGoSave"	9848ce81fd16294ff6ddb08141e1e5ee609a506a3ec62e5809724c223534b0e1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{c2dce8d5-5a41-426d-a197-a6411aeb6e96}\InprocServer32	9848ce81fd16294ff6ddb08141e1e5ee609a506a3ec62e5809724c223534b0e1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0	9848ce81fd16294ff6ddb08141e1e5ee609a506a3ec62e5809724c223534b0e1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32	9848ce81fd16294ff6ddb08141e1e5ee609a506a3ec62e5809724c223534b0e1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	9848ce81fd16294ff6ddb08141e1e5ee609a506a3ec62e5809724c223534b0e1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ = "ILocalStorage"	9848ce81fd16294ff6ddb08141e1e5ee609a506a3ec62e5809724c223534b0e1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\..9\ = "GGoSave"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{c2dce8d5-5a41-426d-a197-a6411aeb6e96}\ProgID	9848ce81fd16294ff6ddb08141e1e5ee609a506a3ec62e5809724c223534b0e1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\GGoSave"	9848ce81fd16294ff6ddb08141e1e5ee609a506a3ec62e5809724c223534b0e1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\Version = "1.0"	9848ce81fd16294ff6ddb08141e1e5ee609a506a3ec62e5809724c223534b0e1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	9848ce81fd16294ff6ddb08141e1e5ee609a506a3ec62e5809724c223534b0e1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	9848ce81fd16294ff6ddb08141e1e5ee609a506a3ec62e5809724c223534b0e1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib	9848ce81fd16294ff6ddb08141e1e5ee609a506a3ec62e5809724c223534b0e1.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

9848ce81fd16294ff6ddb08141e1e5ee609a506a3ec62e5809724c223534b0e1.exeregsvr32.exe

description	pid	process	target process
PID 1776 wrote to memory of 1560	1776	9848ce81fd16294ff6ddb08141e1e5ee609a506a3ec62e5809724c223534b0e1.exe	regsvr32.exe
PID 1776 wrote to memory of 1560	1776	9848ce81fd16294ff6ddb08141e1e5ee609a506a3ec62e5809724c223534b0e1.exe	regsvr32.exe
PID 1776 wrote to memory of 1560	1776	9848ce81fd16294ff6ddb08141e1e5ee609a506a3ec62e5809724c223534b0e1.exe	regsvr32.exe
PID 1776 wrote to memory of 1560	1776	9848ce81fd16294ff6ddb08141e1e5ee609a506a3ec62e5809724c223534b0e1.exe	regsvr32.exe
PID 1776 wrote to memory of 1560	1776	9848ce81fd16294ff6ddb08141e1e5ee609a506a3ec62e5809724c223534b0e1.exe	regsvr32.exe
PID 1776 wrote to memory of 1560	1776	9848ce81fd16294ff6ddb08141e1e5ee609a506a3ec62e5809724c223534b0e1.exe	regsvr32.exe
PID 1776 wrote to memory of 1560	1776	9848ce81fd16294ff6ddb08141e1e5ee609a506a3ec62e5809724c223534b0e1.exe	regsvr32.exe
PID 1560 wrote to memory of 1416	1560	regsvr32.exe	regsvr32.exe
PID 1560 wrote to memory of 1416	1560	regsvr32.exe	regsvr32.exe
PID 1560 wrote to memory of 1416	1560	regsvr32.exe	regsvr32.exe
PID 1560 wrote to memory of 1416	1560	regsvr32.exe	regsvr32.exe
PID 1560 wrote to memory of 1416	1560	regsvr32.exe	regsvr32.exe
PID 1560 wrote to memory of 1416	1560	regsvr32.exe	regsvr32.exe
PID 1560 wrote to memory of 1416	1560	regsvr32.exe	regsvr32.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

9848ce81fd16294ff6ddb08141e1e5ee609a506a3ec62e5809724c223534b0e1.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	9848ce81fd16294ff6ddb08141e1e5ee609a506a3ec62e5809724c223534b0e1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{c2dce8d5-5a41-426d-a197-a6411aeb6e96} = "1"	9848ce81fd16294ff6ddb08141e1e5ee609a506a3ec62e5809724c223534b0e1.exe

C:\Users\Admin\AppData\Local\Temp\9848ce81fd16294ff6ddb08141e1e5ee609a506a3ec62e5809724c223534b0e1.exe
"C:\Users\Admin\AppData\Local\Temp\9848ce81fd16294ff6ddb08141e1e5ee609a506a3ec62e5809724c223534b0e1.exe"
1⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1776

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\Program Files (x86)\GGoSave\3C1hXgWfiNHSmE.x64.dll"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1560

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\GGoSave\3C1hXgWfiNHSmE.x64.dll"
3⤵
- Registers COM server for autorun
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies Internet Explorer settings
- Modifies registry class
PID:1416

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\GGoSave\3C1hXgWfiNHSmE.dat
Filesize
4KB

MD5
adc4d9ebf767bb20dd1dccdda030c1e6

SHA1
26220b74c64f9eda053bc2e4b82e590abe9e26aa

SHA256
4a0f787b54d508424e63b9e788da19aa83a79164c3238e48a9652166fdc6ed7c

SHA512
8dcea002f58ff7c2ffc65b7fb4dc9fa10bda975e425a9e0ac8e7b2c4f3aa565e8adaf73ffa3205688dab026d45806744947905d8d1fd32c12a55faa139038a09

Download Submit
C:\Program Files (x86)\GGoSave\3C1hXgWfiNHSmE.tlb
Filesize
3KB

MD5
b1a4e76275892ad545a7d719916e3695

SHA1
4f45032610fe523709dddc6328df2ab41bfc6821

SHA256
9024103b19d15599b22e4d43d2943a53b32d6d8748ce604d47a4dc7215c003f2

SHA512
80162657386e57db4acf69f9efc4617772adb6ac2b2b1a61d9233b2084327b9fd89a20e2ae69ff4bf768ea991fd43dfb75274adb387e2319eecf4a4e9a5ff3f0

Download Submit
C:\Program Files (x86)\GGoSave\3C1hXgWfiNHSmE.x64.dll
Filesize
692KB

MD5
4d04114c6d8e09e4016804a11c4cbff2

SHA1
e5a20bc2ba6e5659bfaa91aac9ec01ed525acb8a

SHA256
4f7e6a67018e3234042f194ad9f693b28361e278c1d1fc3418211e96d9f7748f

SHA512
da05e86be651703d03c2b3f41ab8bf8a9d97614a27e5fe6edbab7f2e7c4996d796c1a9cb8633f7d5fdb9ad054250ecc00e8fc9ba4dccfdd33e299b20789f3022

Download Submit
\Program Files (x86)\GGoSave\3C1hXgWfiNHSmE.dll
Filesize
614KB

MD5
fe244b3aac644eadd90f578b1275438e

SHA1
5d132d5be73f07706f4f9581af4738400a8f62b6

SHA256
189c8adf5b5bc1ddeae2b272f14761c83c68c462d541e4130abcb15f853cd8b5

SHA512
1f764e2a1fdf8a0aeec9c2eed1316a6f3b41b3249093928767134e3cb38905b5171ecb37a6c8ca90be4b601ba8701e7a756eb37794b3173aafb9989b15f88b7c

Download Submit
\Program Files (x86)\GGoSave\3C1hXgWfiNHSmE.x64.dll
Filesize
692KB

MD5
4d04114c6d8e09e4016804a11c4cbff2

SHA1
e5a20bc2ba6e5659bfaa91aac9ec01ed525acb8a

SHA256
4f7e6a67018e3234042f194ad9f693b28361e278c1d1fc3418211e96d9f7748f

SHA512
da05e86be651703d03c2b3f41ab8bf8a9d97614a27e5fe6edbab7f2e7c4996d796c1a9cb8633f7d5fdb9ad054250ecc00e8fc9ba4dccfdd33e299b20789f3022

Download Submit
\Program Files (x86)\GGoSave\3C1hXgWfiNHSmE.x64.dll
Filesize
692KB

MD5
4d04114c6d8e09e4016804a11c4cbff2

SHA1
e5a20bc2ba6e5659bfaa91aac9ec01ed525acb8a

SHA256
4f7e6a67018e3234042f194ad9f693b28361e278c1d1fc3418211e96d9f7748f

SHA512
da05e86be651703d03c2b3f41ab8bf8a9d97614a27e5fe6edbab7f2e7c4996d796c1a9cb8633f7d5fdb9ad054250ecc00e8fc9ba4dccfdd33e299b20789f3022

Download Submit
memory/1416-67-0x0000000000000000-mapping.dmp

Download
memory/1416-68-0x000007FEFB731000-0x000007FEFB733000-memory.dmp

Filesize
8KB

Download
memory/1560-63-0x0000000000000000-mapping.dmp

Download
memory/1776-54-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

Filesize
8KB

Download
memory/1776-55-0x0000000000D40000-0x0000000000DE6000-memory.dmp

Filesize
664KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads